My Photo
Subscribe to this blog's feed




Recent Comments

LMT Authors

Recent Posts

80 posts categorized "Forensics & Deep Packet Capture" Feed

March 26, 2013

Batteries in my TAP, in my Network, What are you thinking? (by The Oldcommguy)

There is a new trend of putting batteries in network access devices that I am really not sure of, so here are my thoughts as well as some very sobering and REAL documented issues!

Computer fire

 First let’s talk about the reality of batteries, ALL BATTERIES – Especially All Rechargeable's!!

  • They need a charge cycle thus a charge and discharge circuit.
    • This is VERY important! As no charging or overcharging can cause a rupture, fire, etc.
    • YOU CANNOT JUST LET a battery ( Lithium, NiCd or NiMH) just sit in a device without expecting failure, sooner or later.
    • You need some notification of the condition of the batteries charge state
    • You need to know that it needs replacing or a serious rupture and/or fire can occur.
      • If it ruptures you can have serious caustic situation in the air and in the chemical spill
      • The older a battery gets the higher potential for a failure and rupture
        • United States Consumer Product Safety Commission (CPSC)
          • When burning, a battery/cell can reach temperatures of 700C+
            • That will easily burn through aluminum and almost anything else
            • During and after burning there will be not only hazardous/poisonous gasses but a dangerous caustic spill!

Continue reading "Batteries in my TAP, in my Network, What are you thinking? (by The Oldcommguy)" »

Posted in CALEA & Lawful Intercept, Forensics & Deep Packet Capture, Oldcommguy, Protocol Analysis | | Comments (4) | TrackBack (0)

| |

March 07, 2013

Role of Packet Capture in Network Security (by Jim MacLeod)



While working on my yard this weekend, I started thinking about the tools that I was using. My favorite is probably the weed whacker. While it’s intended for up-close trimming, its design gives it a great deal of versatility. I can use it to trim, edge, weed, mow, or even dig small holes. However, I recognize that it’s not my only tool, and the best results with the least effort will come from using it in combination with other purpose-built devices. Using a weed whacker to mow the lawn is time consuming and requires more effort than pushing the lawn mower, especially since the weed whacker only covers a small area at once, and forces me to choose how deep to go.

Those of us who love packets tend to feel similarly about our packet capture. We know that professional grade tools can monitor networks 24x7, providing statistical information about protocol and node usage, as well as deep dives for captured traffic once we’ve identified what we need to analyze. However, other purpose built tools are better at certain things. Firewall logs show what traffic was forwarded or blocked. Intrusion Detection Systems (IDS) classify traffic based on patterns that have been seen in malicious activity. While we can gather the same information with packet capture, it takes more work to get to the point of finding what needs to be examined, and what can be ignored.


Continue reading "Role of Packet Capture in Network Security (by Jim MacLeod)" »

Posted in Deep Packet Inspection, Forensics & Deep Packet Capture, Intrusion Detection, WildPackets | | Comments (0) | TrackBack (0)

| |

February 15, 2013

Never Give Up While Freedom Is On The Line (by Casey Mullis)

I recently had the pleasure of assisting another Investigator from Carroll County with forensics on one of the new Macbook Pro 13 inch with a 128 GB SSD. The first thing you notice is there is no CD/DVD drive. There is also no Firewire port only a thunderbolt port and USB 3.0.

So now what? I first tried booting with Blackbag's  MacQuasition but it would not boot. I called Blackbag tech support and found out that the version I had did not support the new model of Macbook that we were working on. The hard drive in the Macbook was a SSD nonstandard drive. See image(s) below.

  Cybercrime

So what do you do? Do you give up on getting the forensic image of the hard drive or do you push forward and keep digging to find a solution?

Continue reading "Never Give Up While Freedom Is On The Line (by Casey Mullis)" »

Posted in Casey Mullis, Cyber Crime, Forensics & Deep Packet Capture, Malware & Crimeware | | Comments (0) | TrackBack (0)

| |

December 21, 2012

Working during the last week in December? Here's a list to keep you busy (by Chris Greer)

So you drew the short straw and you're on deck to support the network from December 24th-Jan 1st.

First - Sorry, that's a drag.

But, it's also a great time to do some much needed network baselining, documentation, and troubleshooting. So while you are sitting at work recovering from your egg-nog hangover, take advantage of the fact that there is minimal traffic on the network, server use is low, and most of the users are gone. In a word:

BASELINE!

It’s time to get a fresh baseline. Not only because of the lower network usage, but because it’s a great way to go into the new year, when new problems, expansions, upgrades, and rollouts are bound to occur. Who really has time for a baseline once things go into full swing in 2013?

Continue reading "Working during the last week in December? Here's a list to keep you busy (by Chris Greer)" »

Posted in Chris Greer, Forensics & Deep Packet Capture, Switching & Routing, Test & Measurement | | Comments (0) | TrackBack (0)

| |

December 04, 2012

DEFT 7.1 Introduction and Videos (by Casey Mullis)

Why do I need a forensically sound  image?        What is a forensic image?

What makes up a forensic image?       How do I make a forensically sound Image?

The questions listed above are four that we are going to answer here today, before we go any further in to DEFT 7.1

What is DEFT 7.1? DEFT is a very professional and stable system that includes excellent hardware detection and the best free and open source applications dedicated to Incident Response, Cyber Intelligence and Computer Forensics. It is one tool in many an investigator should have!

DEFT is meant to be used by:

  • Military
  • Police
  • Investigators
  • IT Auditors
  • Individuals

And DEFT is 100% made in Italy

DEFT 7 is based on the new Kernel 3 (Linux side) and the DART (Digital Advanced Response Toolkit) with the best freeware Windows Computer Forensic tools. It’s a new concept of Computer Forensic system that use LXDE as desktop environment and WINE for execute Windows tools under Linux and mount manager as tool for device management.

English manual can be downloaded  - http://www.deftlinux.net/doc/EN-deft7.pdf

Continue reading "DEFT 7.1 Introduction and Videos (by Casey Mullis)" »

Posted in CALEA & Lawful Intercept, Casey Mullis, Forensics & Deep Packet Capture, Law Enforcement, Oldcommguy, Technology and Society | | Comments (0) | TrackBack (0)

| |

November 06, 2012

What Makes Your Network Weak (By Jim MacLeod)



Your network is going to be attacked. Get used to that idea. At least one of those attacks will succeed, and there’s not a lot you can do to stop it. However, what you can do is delay the inevitable breach and attempt to control what the attacker will be able to do once he or she gets in, and you can proactively prepare your response.

If you don’t believe that you’re vulnerable, take a minute to scan your favorite news feed for security breaches. If you think you’re too big, look at the large examples out there like the White House, large banks, health care systems, and large corporations who presumably have the talent and resources to stop attackers in their tracks. If you think you’re too small to be a target, I recently heard of a friend – an expert in network forensics – whose computer got hijacked by a drive-by download on a web site. Fortunately, the PC was recoverable, but it required pulling the hard drive and mounting it on another PC to clean. Small sites are also attractive to attackers as pivot points to launch larger attacks and as storage points for illegal material, which leaves you as an inadvertent partner of the attack.


Continue reading "What Makes Your Network Weak (By Jim MacLeod)" »

Posted in Deep Packet Inspection, Forensics & Deep Packet Capture, Intrusion Detection, WildPackets | | Comments (0) | TrackBack (0)

| |

August 27, 2012

Network Data Storage Best Practices (by Spencer Greene)



How long should I store packet captures?  How much storage should I provision to monitor a 10Gbps link?  When is NetFlow enough, and when do I need to capture at the packet level?

These are questions network operations managers everywhere are asking, because unfortunately best practices for network data retention policies are hard to find.  Whereas CIOs now generally have retention policies for customer data, internal emails and other kinds of files, and DBAs generally know how to implement those policies, the right retention policy for network capture data is less obvious.

The good news is that there are IT shops out there that are ahead of the curve and have figured a lot of this out.


Background

To begin with, it’s important to clarify for your own organization what the goals are for network history.  Some common answers include:

  1. Respond faster to difficult network issues
  2. Establish root cause and long-term resolution
  3. Contain cyber-security breaches
  4. Optimize network configuration
  5. Plan network upgrades


Continue reading "Network Data Storage Best Practices (by Spencer Greene)" »

Posted in Application Performance, Deep Packet Inspection, Forensics & Deep Packet Capture | | Comments (1) | TrackBack (0)

| |

August 24, 2012

DEFT 7 Cyber Forensic Tool Overview (by Casey Mullis)

DEFT 7 "REAL" and powerful Cyber Forensic Tool overview!

My name is Casey and I have been learning computers for over 13+ years. My favorite thing to do is to break in to encryption or password protected cyber stuff. I find it funny how insecure and naive we really are in this digital age.

In no means am I saying that I am some great hacker, I just love learning especially to help get criminals. There is so much out on the net to help you do whatever it is you are looking to do. Sometimes you have to spend money to buy tools to get the job done. Sometimes the tool is right in front of your face, if you only opened your eyes. In this case you open Google and do a little searching.

There are many open source tools out there free for use by anyone willing to take the time to find it and research how to use it. What is “Open Source” well the wiki answer is the following:

“In production and development, open source is a philosophy, or pragmatic methodology that promotes free redistribution and access to an end product's design and implementation details [citation needed]. Before the phrase open source became widely adopted, developers and producers used a variety of phrases to describe the concept; open source gained hold with the rise of the Internet, and the attendant need for massive retooling of the computing source code.[citation needed] Opening the source code enabled a self-enhancing diversity of production models, communication paths, and interactive communities.[1] The open-source software movement was born to describe the environment that the new copyright, licensing, domain, and consumer issues created”

Resource: http://en.wikipedia.org/wiki/Open_source

Continue reading "DEFT 7 Cyber Forensic Tool Overview (by Casey Mullis)" »

Posted in Casey Mullis, Data Seizure Tools, Forensics & Deep Packet Capture, Law Enforcement | | Comments (1) | TrackBack (0)

| |

June 30, 2012

Who owns network history? (by Spencer Greene)

Network History a Key to network success!

The task of knowing exactly what has happened on a network isn’t always easy, but perhaps even more perplexing to IT organizations is determining who is actually responsible for culling this crucial information. Particularly, should network recording and flow collector tools be operated by the security team or by the networking operations team? 

The cop-out here would be to say, “It depends on the organization,” and then move on to the next question.  After all, both network and security groups need to use network history data, and both groups generally have the right skills to operate network recording equipment. Additionally, you could find examples of successful deployments from both directions. So to say there is a concrete answer that fits each and every situation would be presumptuous, however there are pretty compelling arguments that suggest the network operations side should likely own the task. Let’s take a closer look.

History

In point of fact, there is a clear trend here: Network history is becoming a core network service, and as such, the best practice in most organizations is for it to be owned by the network operations group.  Forward-looking network operations teams are keeping network history for their own purposes – to respond to difficult issues and understand network traffic patterns – and they are providing appropriate access to security teams and cooperating with them to deal with security incidents.  From the security side, we see more and more teams expecting and demanding network history to be provided by the network itself and deploying their own network history equipment only when the network operations team absolutely can’t be convinced.

 Why is this so?  Here are a few of the reasons we have encountered:

Continue reading " Who owns network history? (by Spencer Greene)" »

Posted in Forensics & Deep Packet Capture, Malware & Crimeware | | Comments (0) | TrackBack (0)

| |

June 28, 2012

Security Threats Continued: The How (by Jim MacLeod)

For our first part of “Security Threats: The Who, The How, and The Why,” we discussed the Who aspect, dissecting the three main classification of attackers: The Script Kiddie, Insiders, and Juggernauts.

This blog will cover the How aspect of today’s threat landscape, providing some tips and tricks to ensure that your network is protected as much as possible. The Why will be following in our third and final installment.

Spy

How do the Script Kiddies, Insiders, and Juggernauts penetrate your system? 

  1. Denial of Service (DoS)
  2. Vulnerability
  3. Weakness

Continue reading "Security Threats Continued: The How (by Jim MacLeod)" »

Posted in Forensics & Deep Packet Capture, WildPackets | | Comments (0) | TrackBack (0)

| |

Next »

LMT Advertisers


LMT Sponsors

News From LMT Sponsors

  • Endace

  • Datacom

  • NetScout

  • WildPackets

  • Sharkfest

  • Anue Systems

  • National Instruments

  • Riverbed

  • Net Optics
  • Garland